Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."

Yes, the FF r0x0rs comments are redundant. Even more so are the responses to those comments that suggest that FF crashing has anywhere even approaching the same level of impact as an IE exploit that allows remote control to be taken of the affected computer.

There is an exploit that my computer suffers from every day. It's called the 'Slash.ORG' worm, and it doesn't matter what kind of browser you use. Once the browser navigates to a certain website, it tends to stay there, refreshing as needed. It's called a DoPE attack, or 'Denial of Productivity for Employer.'

You say that in jest, but imagine the possibilities for exploits when/if we get the point of direct neural implants for communications and such. Just imagine, instead of porn popups, lockups, and reboots we'll have people suddenly yelling about viagara at the top of their lungs, freezing up and falling over mid-stride, and suddenly forgetting where they are.

Well, actually, yeah. I remember back in the early 90s when a secretary showed my this Mosaic thing she'd found. I told her it looked interesting, but that I could get anything I needed off of gopher. It didn't seem like anything that would take off. Fast forward a year or so, and I remarked to a couple of friends, after starting to use mosaic and looking at HTML, that in a couple of years you'd see web addresses instead of 800 numbers in advertising pretty soon. They looked at me like I told them compute

Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site.Thanks goodness browsers and the WWW got beyond academia because even with all the shit we have to put up with today (like this JScript exploit), the experience is far better and vastly outweighs the problems. Of course, there will always a small number of irrelevant people who like to portray themselves as elite by complaining about how the concept of the browser has changed. I rea

Sure is fast I must say. About 200-250 ms load time vs as long as 10 seconds (mostly rendering time, not download time) for some news sites and other ill-designed sites.

And I have a fast (1.8 GHz processor running Konqueror) setup and broadband. I can just imaging the difference if I was on an old sub-GHz machine or on dial up. I'm also using Konqueror. For the odd site that doesn't work (forcing me to resort to Firefox), the render time is substantially increased.

You have a strange definition of "better" if you think that using flash and graphics where text makes sense is "better". Hooray for wasting bandwidth in roder to provide a "media-rich" experience, when utilizing actual valid HTML would work just as well *and* provide a means of formatting for a variety of different output devices.

You don't have to design to the "lowest common denominator" if you use proper HTML 4.1 with CSS, but you do have to think about making a page that degrades gracefully. It's not really even hard - but thanks to IE and Netscape adding their own screwy tags + cheerfully accepting ill-formed HTML, web developers are among the laziest, worst informed developers around. Yeah, things sure are better now.

From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.

Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

Sony's CD copy protection installs in your Windows machine a rootkit that renders invisible any file whose name starts with '$sys$'.The *nix joke "word^Wother" (also written "word^H^H^H^H") meant: i wrote "word", but repented and erased it (with one control-w or N control-h keys) and substituted it for "other".The newly made Sony/Windows joke "$sys$word other" means: "word" becomes invisible and, just as in the unix case, I am saying "other" (when I really mean the harsher "word").Funny thing is, it's not

1) Microsoft creates horribly insecure software with a lot of features. 2) People buy software, use it, and standardise on it. 3) Flaws are uncovered, but people can't move away from software because they need the features. 4) Profit!

Seriously, it's worked for IE (sites testing for IE only and declaring anything else as broken) and Office (people not moving away because Office has some random esoteric thing that they so badly need)

I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.

Why don't you people just try explaining the problems to your wife and get over it?

Oh no.. here we go again. No, it's not that there's another flaw in IE that I say that because some things are inevitable.. death, taxes and IE flaws. But any self-respecting IT professional or geek won't be using IE anyway. Sure.. users do, but they're much further down the food chain.

No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!

Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw [idefense.com]. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.

Some things are riskier than others, the decision is to avoid behaviors that exceed your risk tolerance threshold. For me that's the case with IE, it's just too risky for me to use it. Firefox on the other hand is currently tolerable, the benefit outweighs the risk.

Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.

we'll get the usual set of arguments about browser and OS supremacy.

If something has fewer security problems, isn't it "superior" in that respect?

If you can't trust Lynx to be secure, then really nothing is secure.

Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.

Interesting. I know Slashdot breaks their million page view per month limit (like in a couple hours), and I thought only users of AdWords were exempt from that limit? What's the deal guys? Anyone know anything else about Google Analytics?

This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"...
Well at least Microsoft is shown in studies to have far less serious bugs, and therefor require less patches.

IE hackers too busy trying to play catch up with firefox to fix non-critical bugs, maybe?

The good thing of all this is that since Microsoft only releases security patches on thursday - you know, "admins want predictability" and all that shit that some companies use and that lots of shitty admins believe - so you have a full week as minimum to exploit this on your web pages. Enjoy, IE users!

The original article and the Slashdot headline are wrong. It's not a "zero-day exploit." The article itself says, "The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw." A zero-day exploit is one that is discovered or revealed the day software becomes available, be it brand-new software, an update, a patch, or a service pack.

So? When 90% of your "customers" are being told that they either turn off Javascript or get a virus, it doesn't matter whether the problem is with Javascript or IE - either way, there is no return for adding AJAX features to a web site. I'd rather spend my precious development resources on non-AJAX features that benefit everybody.

I don’t have to worry about JavaScript exploits because I use the new super safe IE7! It utilizes Microsoft’s super new language, JScript! Download this super new web browser today and keep your Windows safe from all those evil hackers*!

Isn't Google's master plan to take over the world dependent upon people using AJAX? If IE has a critical flaw using javascript, and everyone has to turn it off, then nobody will be able to use Google's new products and... Hey wait a minute.

Have you people not got the facts? Browsing the web using Microsoft Windows - and especially when using the excellent Microsoft Internet Explorer is proven to much more secure than using those namby-pamby, tree-hugging, communist hippy programs you can get, like that Linux thing and Firefox. I mean, no-one uses those things anyway, do they? I always make sure that I am fully patched, and that my anti-spyware and anti-virus programs and up to date. Every morning I check through my root-kit and trojan scanner reports, right after my defrag has finished. I know for a fact that this so-called exploit hasn't affected me in th [NO CARRIER]

I have a dual boot system: 1. Windows for games and the occasional Windows-only software. Nothing sensitive there. Rootkit me all you want. 2. Linux for the serious stuff.

So... an attacker who's pwnz3d your Windows installation can't then access the MBR, futz with your bootloader and pass the options of his choice to your Linux kernel at next boot time? He can't install rfstool on the sly and mount your Linux partitions and plunder your personal information you keep there?

Take off the tin foil hat. The amount of work it would take to write such an exploit would be huge and would only get a tiny fraction of the market. There's no profit in it, there's no notoriety for it.

Take off the tin foil hat. The amount of work it would take to write such an exploit would be huge and would only get a tiny fraction of the market. There's no profit in it, there's no notoriety for it.

Would a worm do all that, or a clueless script kiddie? Probably not. As you say, there are too few dual-boot systems around. Bear in mind however that the Linux partition is still at risk from a malicious kiddie letting rip with fdisk.

But would a hacker do it? Yes, I think so. Especially if he'd just been

"Because the first choice is ridiculously, brain-dead easy. That's why."You are implying that the person breaking the law has an average level of intellegence. Haven't you seen "Maximum Exposure", "Real Police Videos", or any of the other caught on tape shows. They prove one thing, most criminals are dumb. True, there are a few gems in the rough, but by and large, the criminal element of society is not the brightest bulb in the box.

"Where's the notoriety in this? Oooh. I hacked a windows box. I'm so l33t."

Is a house with no doors or windows secure? Only if you're an idiot. Security is the ratio of difficulty of access by authorized vs. unauthorized users. Adding a process that makes it more difficult for both adds no security, it merely makes your users hate you.

The damn data janitors around here forget their job is first to provide a useful network.

Older versions of Norton AV leaked memory like crazy, but only when you ran a scan. The realtime protection was fine. You did need to reboot after a scan, however. Newer versions are either fixed or not so bad that I notice.